diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index 9b4bab63df..a5a7b09c0f 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -10,10 +10,51 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from keystone.common.policies import base +deprecated_list_endpoint_groups = policy.DeprecatedRule( + name=base.IDENTITY % 'list_endpoint_groups', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_get_endpoint_group = policy.DeprecatedRule( + name=base.IDENTITY % 'get_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_list_projects_associated_with_endpoint_group = policy.DeprecatedRule( + name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_list_endpoints_associated_with_endpoint_group = policy.DeprecatedRule( + name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( + name=base.IDENTITY % 'get_endpoint_group_in_project', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( + name=base.IDENTITY % 'list_endpoint_groups_for_project', + check_str=base.RULE_ADMIN_REQUIRED, +) + + +DEPRECATED_REASON = """ +As of the Train release, the endpoint groups API now understands default roles +and system-scoped tokens, making the API more granular by default without +compromising security. The new policy defaults account for these changes +automatically. Be sure to take these new defaults into consideration if you are +relying on overrides in your deployment for the endpoint groups API. +""" + + group_endpoint_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_endpoint_group', @@ -24,14 +65,17 @@ group_endpoint_policies = [ 'method': 'POST'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='List endpoint groups.', operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_endpoint_groups, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='Get endpoint group.', operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' @@ -39,7 +83,10 @@ group_endpoint_policies = [ 'method': 'GET'}, {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), - 'method': 'HEAD'}]), + 'method': 'HEAD'}], + deprecated_rule=deprecated_get_endpoint_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, @@ -58,24 +105,30 @@ group_endpoint_policies = [ 'method': 'DELETE'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description=('List all projects associated with a specific endpoint ' 'group.'), operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects'), - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_projects_associated_with_endpoint_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='List all endpoints associated with an endpoint group.', operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/endpoints'), - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_endpoints_associated_with_endpoint_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group_in_project', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description=('Check if an endpoint group is associated with a ' 'project.'), @@ -84,15 +137,21 @@ group_endpoint_policies = [ 'method': 'GET'}, {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), - 'method': 'HEAD'}]), + 'method': 'HEAD'}], + deprecated_rule=deprecated_get_endpoint_group_in_project, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups_for_project', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='List endpoint groups associated with a specific project.', operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoint_groups'), - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_endpoint_groups_for_project, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_group_to_project', check_str=base.RULE_ADMIN_REQUIRED, diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 22c8977b7e..33784af90d 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -242,6 +242,17 @@ def new_endpoint_ref(service_id, interface='public', return ref +def new_endpoint_group_ref(filters, **kwargs): + ref = { + 'id': uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'filters': filters, + 'name': uuid.uuid4().hex + } + ref.update(kwargs) + return ref + + def new_endpoint_ref_with_region(service_id, region, interface='public', **kwargs): """Define an endpoint_ref having a pre-3.2 form. diff --git a/keystone/tests/unit/protection/v3/test_endpoint_group.py b/keystone/tests/unit/protection/v3/test_endpoint_group.py new file mode 100644 index 0000000000..8d8fdb6597 --- /dev/null +++ b/keystone/tests/unit/protection/v3/test_endpoint_group.py @@ -0,0 +1,279 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from six.moves import http_client + +from keystone.common import provider_api +import keystone.conf +from keystone.tests.common import auth as common_auth +from keystone.tests import unit +from keystone.tests.unit import base_classes +from keystone.tests.unit import ksfixtures + +CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs + + +class _SystemUserEndpointGroupsTests(object): + """Common default functionality for all system users.""" + + def test_user_can_list_endpoint_groups(self): + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + + with self.test_client() as c: + r = c.get('/v3/OS-EP-FILTER/endpoint_groups', headers=self.headers) + endpoint_groups = [] + for endpoint_group in r.json['endpoint_groups']: + endpoint_groups.append(endpoint_group['id']) + + self.assertIn(endpoint_group['id'], endpoint_groups) + + def test_user_can_get_an_endpoint_group(self): + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + with self.test_client() as c: + c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + headers=self.headers) + + def test_user_can_list_projects_associated_with_endpoint_groups(self): + project = PROVIDERS.resource_api.create_project( + uuid.uuid4().hex, unit.new_project_ref( + domain_id=CONF.identity.default_domain_id + ) + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + PROVIDERS.catalog_api.add_endpoint_group_to_project( + endpoint_group['id'], project['id']) + with self.test_client() as c: + r = c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' + % endpoint_group['id'], headers=self.headers) + projects = [] + for project in r.json['projects']: + projects.append(project['id']) + self.assertIn(project['id'], projects) + + def test_user_can_list_endpoints_associated_with_endpoint_groups(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + endpoint = unit.new_endpoint_ref(service['id'], region_id=None) + endpoint = PROVIDERS.catalog_api.create_endpoint( + endpoint['id'], endpoint + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + with self.test_client() as c: + r = c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints' + % endpoint_group['id'], + headers=self.headers) + endpoints = [] + for endpoint in r.json['endpoints']: + endpoints.append(endpoint['id']) + self.assertIn(endpoint['id'], endpoints) + + def test_user_can_get_endpoints_associated_with_endpoint_groups(self): + project = PROVIDERS.resource_api.create_project( + uuid.uuid4().hex, unit.new_project_ref( + domain_id=CONF.identity.default_domain_id + ) + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + PROVIDERS.catalog_api.add_endpoint_group_to_project( + endpoint_group['id'], project['id']) + with self.test_client() as c: + c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s' + % (endpoint_group['id'], project['id']), + headers=self.headers) + + def test_user_can_list_endpoint_groups_with_their_projects(self): + project = PROVIDERS.resource_api.create_project( + uuid.uuid4().hex, unit.new_project_ref( + domain_id=CONF.identity.default_domain_id + ) + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + PROVIDERS.catalog_api.add_endpoint_group_to_project( + endpoint_group['id'], project['id']) + with self.test_client() as c: + r = c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups' + % project['id'], + headers=self.headers) + endpoint_groups = [] + for endpoint_group in r.json['endpoint_groups']: + endpoint_groups.append(endpoint_group['id']) + + +class _SystemReaderAndMemberUserEndpointGroupsTests(object): + """Common default functionality for system readers and system members.""" + + def test_user_cannot_create_endpoint_groups(self): + create = { + 'endpoint_group': { + 'id': uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'filters': {'interface': 'public'}, + 'name': uuid.uuid4().hex + } + } + + with self.test_client() as c: + c.post( + '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_update_endpoint_groups(self): + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + + update = {'endpoint_group': {'filters': {'interface': 'internal'}}} + + with self.test_client() as c: + c.patch( + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_delete_endpoint_groups(self): + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + + with self.test_client() as c: + c.delete( + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_add_endpoint_group_to_project(self): + project = PROVIDERS.resource_api.create_project( + uuid.uuid4().hex, unit.new_project_ref( + domain_id=CONF.identity.default_domain_id + ) + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + with self.test_client() as c: + c.put('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s' + % (endpoint_group['id'], project['id']), + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_cannot_remove_endpoint_group_from_project(self): + project = PROVIDERS.resource_api.create_project( + uuid.uuid4().hex, unit.new_project_ref( + domain_id=CONF.identity.default_domain_id + ) + ) + endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( + endpoint_group['id'], endpoint_group + ) + with self.test_client() as c: + c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s' + % (endpoint_group['id'], project['id']), + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + +class SystemReaderTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserEndpointGroupsTests, + _SystemReaderAndMemberUserEndpointGroupsTests): + + def setUp(self): + super(SystemReaderTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_reader = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_reader + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.reader_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_reader['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + +class SystemMemberTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserEndpointGroupsTests, + _SystemReaderAndMemberUserEndpointGroupsTests): + + def setUp(self): + super(SystemMemberTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_member = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_member + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.member_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_member['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}